Closed naftulikay closed 6 years ago
slavaaaaaaaaaa
commented
6 years ago I'm not sure this is needed, as all daemon software we run is potentially untrusted and may or may not communicate with outside services. If I understand correctly, Nominatim is no different.
Another question is, how would this layer be different technically?
lordnynex
commented
6 years ago For a lot of reasons not worth describing, the network ACL's are extremely permissive. By design, 'titan' delegates a lot of security to actual security groups. I don't see a lot of value to an entire untrusted layer because there is still the overhead of wrapping any app or database in a security group that must be configured to allow the traffic.
naftulikay
commented
6 years ago @lordnynex yes this makes sense to me too. Everything is going to be confined by security groups anyway.
The only thing I see would be ading NACL rules to disallow all SSH access coming out of this new layer.
I will probably close and reject this, but I'll also wait for @taup1n @catherinetcai and @asciifaceman.
naftulikay
commented
6 years ago Okay, done waiting. Closing this because there is no good justification for it.
If you feel that you have a use case for this, simply tightly couple security groups and possibly add TLS if your security use case needs internal TLS.
For example, consider an ELK stack composed of static EC2 Elasticsearch instances, an Elasticsearch ELB, a Kibana instance, a Logstash auto-scaling group, and a Logstash ELB.
Here's a first go at a Kibana security group using CIDR-based loose coupling:
kibana/r.security_groups.tf
resource "aws_security_group" "kibana" {
name = "..."
description = "..."
vpc_id = "${data.terraform_remote_state.network.vpc_id}"
ingress {
protocol = "tcp"
from_port = 80
to_port = 80
cidr_blocks = ["${data.terraform_remote_state.network.routing_cidr_blocks"]
ipv6_cidr_blocks = ["${data.terraform_remote_state.network.routing_ipv6_cidr_blocks"]
}
}This will allow all traffic from the routing layer to Kibana. The design of the routing layer is to provide layer 5 and 7 routing, so it makes sense that it will need to route into Kibana to be able to serve the UI over WAN if desired. (Put it behind authentication, you've been warned.)
Here's an example of tight coupling:
kibana/r.security_groups.tf
resource "aws_security_group" "kibana" {
name = "..."
description = "..."
vpc_id = "${data.terraform_remote_state.network.vpc_id}"
ingress {
protocol = "tcp"
from_port = 80
to_port = 80
self = true
security_groups = ["${data.terraform_remote_state.routing.instance_security_group_id}"]
}
}With this tightly-coupled security group, we can only permit traffic directly from routing instances to the Kibana instance. No other traffic will be allowed. Via self = true, Kibana will be able to remotely access itself without the loopback interface.
This same example can be generalized to all of the ELK services. Tightly coupled security groups would look like this:
The above would have the following implications:
The only way to make this more secure IMHO is to add TLS at all the hops, but that complicates the design tremendously and would mean TLS deployment for most internal services.
Phew. I'm closing this.
RFC for @lordnynex @asciifaceman @smaslennikov @catherinetcai @taup1n
Proposal
I propose adding another layer to the layers that we have for third party services which are trusted less. I am not set on the name, but "untrusted" is a candidate, I hope we can come up with something better.
Titan has the following layers presently:
I recently witnessed a contractor creating an entirely separate VPC for a Nominatim cluster, which is a third party location database. I am not entirely sure of the usefulness, hence the RFC. Running a service like this in an "untrusted" layer would allow tighter security rules for this area of the network in NACLs and security groups.
Pros
Cons